[scponly] won't someone _please_ think of the archives ? (scponly
+ unison + chroot)
Ensel Sharon
user at dhp.com
Wed Oct 4 11:05:53 EDT 2006
On Tue, 3 Oct 2006, Kaleb Pederson wrote:
> That seems really strange and doesn't make sense to me. Can you strace the
> ssh process that execs unison (capturing output for child processes) and send
> it to me?
>
> If you can, I'll take a look and let you know.
>
> > See the problem ? In both cases unison is spitting back to the _remote
> > user_ the full path leading into the chroot - something that, IMO, they
> > should never see.
>
> Yes. Unless it is somehow in the chroot (like the /etc/passwd file within the
> chroot) or scponly is doing something strange, it don't see how that would
> happen -- note that I haven't looked at any of the unison specific code
> though.
Well, perhaps this is my fault then.
My setup is simple - everyone has the same home directory:
/home
And that is in _both_ the root /etc/passwd and the chroot /etc/passwd
And inside of /home are a bunch of "incoming" directories, one per user -
the user has no right (except traversal) to /home, and has no rights at
all to any of the incoming dirs except their own.
This allows me to maintain only a single chroot skeleton (/etc,/bin,/usr
and so on) Further, this has worked great - no problems with any ssh apps
(except unison).
BUT, you are correct - both /etc/passwd and (chroot)/etc/passwd contain
the same thing: /home for everyones home directory.
What would you put in its place ?
(honestly I just thought the home-dir field in the chroot/etc/passwd was
just a placeholder and didnt matter - which was somewhat justified given
that it has worked wonderfully, until unison)
(are you sure Paul Hyder wasn't correct and that my setup is ok, and there
is just a bug related to unison ?)
More information about the scponly
mailing list